System and method for updating network computer systems

ABSTRACT

An update system configured to provide software updates, software patches and/or other data packets to one or more computer systems via a network is disclosed. The update system may interact with a network management system, such as an enterprise management system, to distribute data packets and gather configuration information. The update system may generate and send commands to the network management system. The network management system may carry out the commands to distribute data packets and/or gather configuration information.

PRIORITY CLAIM

This application is a continuation of U.S. patent application Ser. No.13/763,363 entitled “SYSTEM AND METHOD FOR UPDATING NETWORK COMPUTERSYSTEMS” filed Feb. 8, 2013, which is a continuation of U.S. patentapplication Ser. No. 12/115,301 entitled “SYSTEM AND METHOD FOR UPDATINGNETWORK COMPUTER SYSTEMS”, filed May 5, 2008 and issued as U.S. Pat. No.8,375,108, which is a continuation of U.S. patent application Ser. No.10/242,309 entitled “SYSTEM AND METHOD FOR ENHANCED SOFTWARE UPDATINGAND REVISION” filed Sep. 12, 2002, issued as U.S. Pat. No. 7,370,092,all of which are incorporated in their entireties herein by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

Embodiments disclosed herein generally relate to the field of control ofcomputer networks. More particularly, the present invention relates to asystem and method for controlling distribution of data packets to one ormore computer systems coupled to a network of computers.

2. Description of the Related Art

It has become quite common for organizations to have computer networksspanning large areas and/or including a large number of computersystems. For example, many government, commercial and educationalorganizations have networks that include hundreds of computersdistributed over very large areas. Some of these networks are literallyglobal. The number and distribution of computer systems on such networksmakes managing them a difficult and resource intensive task. On top ofthis difficulty is the increased need for security in many networks.Both the increase in hostile code (e.g., viruses, worms, etc.) and theprevalence of attacks on networks by individuals (e.g., hackers) causenetwork security to be a high priority in many organizations.

In addition to security concerns, organizations managing a network maydesire to have some control over software applications that areinstalled on computers coupled to the network. Such control may bedesirable to ensure software compatibility, licensing control, etc.

Several categories of software tools have been created to helpadministrators (including network administrators and system or desktopsystems administrators) deal with the challenge of configurationmanagement over networks. Some such tools are commonly referred to asenterprise management systems (EMS) or network management systems. AnEMS may allow an administrator to control a computer system remotely.Thus, the EMS may allow the administrator to determine the configurationof the computer system. The EMS may also allow the administrator toalter the configuration. For example, the administrator may be able toremotely install software onto a computer system. An EMS may also assistan administrator in overseeing network access functions.

Another category of software tools is the patch management system. Patchmanagement systems are designed to assist an administrator indistributing one or more software updates, or patches, to a number ofcomputer systems substantially simultaneously. The software updateprocess is often done in the background so that a user of the computersystem is not affected by the update. Patch management systems may bedivided into two categories, agent based and non-agent based. An agentbased patch management system requires that an agent application,associated with the patch management system, be installed on eachcomputer system that the patch management system will be updating. In alarge network, installing an agent on each computer may be very timeconsuming and resource intensive. Non-agent based systems do not requirean agent; rather, they gather information regarding the computerscoupled to the network remotely. This may be problematic at times if thenetwork is not relatively static. Changes in the network may cause thenon-agent based patch management system to be unable to access one ormore computers on the network.

SUMMARY OF THE INVENTION

In an embodiment, a method of providing data packets to a plurality ofcomputer systems coupled to a network may include providing a networkmanagement system on the network. The network management system mayinclude one or more agent programs on one or more computer systemscoupled to the network. An agent program may be configured to receivecommands from a network management system server and to implementreceived commands on the computer system. An update system may also beprovided on the network. The update system may be configured to issuecommands to the network management system for execution on the networkmanagement system server or on one or more computer systems coupled tothe network. The update system may be configured by a user to identifyone or more data packets and to associate one or more data packets withone or more computer systems. One or more commands may be generated inthe update system and sent from the update system to the networkmanagement system. In response to one or more commands, the networkmanagement system may install one or more data packets on one or morecomputer systems coupled to the network. The network management systemmay utilize functions available to the network management system serverand/or one or more network management system agents to install the datapacket(s). In an embodiment, a log file may be stored on a computersystem which lists commands received by the computer system from theupdate system via the network management system.

In some embodiments, the update system may also be configured togenerate one or more commands, which cause the network management systemto determine configuration information regarding one or more computersystems coupled to the network. Configuration information may includehardware and/or software configuration information. For example, theupdate system may also invoke functions of the network management systemto determine whether one or more data packets were installed properly bythe network management system.

In an embodiment, configuration information may be determined byscanning one or more computer systems coupled to the network using ascanning agent. Configuration information may be compared to a softwarelist. Comparison of configuration information to the software list maybe used to determine whether a data packet should be sent to aparticular computer system or group of computer systems. The comparisonmay also be used to determine whether prohibited software applicationsare present on a computer system. The configuration information may bestored in a memory for use in making decisions and generating statusreports. In certain embodiments, no additional software (e.g., agentapplications) need to be installed on a computer system coupled to thenetwork in order to execute the update system. In some embodiments, theupdate system may send its own scanning agent via the network managementsystem to one or more computer systems coupled to the network. Forexample, the update system scanning agent may be used to provide asecondary verification of whether a data packet was installed properlyby the network management system. In some of such embodiments, theupdate system scanning agent may not persist on computer systems towhich it was sent after providing scanning information to the updatesystem. For example, the update system scanning agent may be deletedfrom the computer systems.

An update system, in one embodiment, may allow a user to assign one ormore computer systems coupled to the network to one or more groups. Insuch embodiments, data packets to be distributed may be associated withone or more computer systems and/or one or more groups.

An update system may be configured to send a data packet to a computersystem based on one or more configured rules (or criteria). For example,a criterion may depend on whether one or more files having specifiedparameters exist on the computer system. In another example, a criterionmay depend on whether one or more software applications having specifiedparameters exist on the computer systems. In another example, acriterion may depend on whether the registry file of the computer systemmeets specified parameters. Other examples may include whether anoperating system of the computer systems meets specified parameters,whether a specified time has elapsed, whether an allowed number ofattempts to send the data packet has been met, etc.

In an embodiment, one or more data packets may be provided in a memoryassociated with a network management system server. An update system mayalso be provided. The update system may be configured to provide one ormore data packets to one or more computer systems on the network. Theupdate system may attempt to place one or more data packets on one ormore of the computer systems. After attempting to place one or more datapackets on one or more computers, the update system may determinewhether one or more of the placement attempts were successful (e.g., byscanning one or more computer systems). If one or more placementattempts were unsuccessful, the update system may determine if anallowed number of unsuccessful placement attempts for at least onecomputer system has been met. If the allowed number of unsuccessfulplacement attempts for at least one computer system has been met, thecomputer system may be inhibited from logging on to the network. If thecomputer system is in use, the computer system may be forcibly logged ofthe network.

In another embodiment, an update system may determine if one or moredata packets are present on one or more computer systems (e.g., byscanning one or more computer systems). The update system may select oneor more computer systems to which one or more additional data packetsshould be sent. For example, one or more computer systems may be sentadditional data packets based on the configuration of the receivingcomputer system, a group to which the receiving computer system isassigned in the update system, etc. One or more additional data packetsmay be sent to one or more selected computers systems. A determinationmay be made as to whether one or more additional data packets werereceived and loaded onto one or more computer systems.

BRIEF DESCRIPTION OF THE DRAWINGS

Other objects and advantages of the invention will become apparent uponreading the following detailed description and upon reference to theaccompanying drawings in which:

FIG. 1 depicts embodiments of a wide area network and a local areanetwork;

FIG. 2 depicts an embodiment of a computer system;

FIG. 3 depicts an embodiment of a data packet manager screen of anupdate system;

FIG. 4 depicts an embodiment of a settings screen 400 of an updatesystem;

FIG. 5 depicts an embodiment of a settings screen for configuring aninterface between an update system and a network management system;

FIG. 6 depicts an embodiment of a network management configurationscreen of an update system;

FIG. 7 depicts an embodiment of a thresholds settings screen of anupdate system;

FIG. 8 depicts an embodiment of a data packet manager screen of anupdate system;

FIG. 9 depicts an embodiment of an identification section of aconfiguration window;

FIG. 10 depicts an embodiment of an installation section of aconfiguration window;

FIG. 11A depicts an embodiment of a condition section of a configurationwindow with the file tab selected;

FIG. 11B depicts an embodiment of a condition section of a configurationwindow with the applications tab selected;

FIG. 11C depicts an embodiment of a condition section of a configurationwindow with the registry tab selected;

FIG. 11D depicts an embodiment of a condition section of a configurationwindow with the operating system tab selected;

FIG. 12 depicts an embodiment of an audited data packets screen of anupdate system;

FIG. 13 depicts an embodiment of a group manager screen of an updatesystem;

FIG. 14 depicts an embodiment of a group manager screen with a nodeselected in the hierarchy window;

FIG. 15 depicts an embodiment of a group manager screen in a group byassigned data packets view;

FIG. 16 depicts an embodiment of a configuration for group window with adata packet selected in hierarchy window;

FIG. 17 depicts an embodiment of a groups/subgroups pull down menu;

FIG. 18 depicts an embodiment of a node manager screen of an updatesystem;

FIG. 19 depicts an embodiment of an add nodes screen of an updatesystem;

FIG. 20 depicts an embodiment of an assigned data packets window of anupdate system;

FIG. 21A depicts an example of an Executive Summary report;

FIG. 21B depicts an example of an overview report of status andactivities for an entire network;

FIG. 21C depicts an example of an overview report of status andactivities related to a group;

FIG. 21D depicts an example of a report of status and activities relatedto nodes in a group;

FIG. 21E depicts an example of a report of status and activities relatedto data packets assigned to a group;

FIG. 21F depicts an example of an overview report of status andactivities related to particular data packets;

FIG. 21G depicts an example of a data packet installation historyreport;

FIG. 21H depicts an example of a data packet detail report;

FIG. 21I depicts an example of a detailed report of status andactivities related to one or more nodes;

FIG. 21J depicts an example of a report summarizing softwareapplications identified on a network;

FIG. 21K depicts an example of a report listing installation history ofthe update system by node; and

FIG. 21L depicts an example of a report summarizing status andactivities related to a number of groups.

While the invention is susceptible to various modifications andalternative forms, specific embodiments thereof are shown by way ofexample in the drawings and will herein be described in detail. Itshould be understood, however, that the drawings and detaileddescription thereto are not intended to limit the invention to theparticular form disclosed, but on the contrary, the intention is tocover all modifications, equivalents, and alternatives falling withinthe spirit and scope of the present invention as defined by the appendedclaims.

DETAILED DESCRIPTION OF SEVERAL EMBODIMENTS

Embodiments described herein provide methods, systems, and carrier mediafor distributing data packets to one or more computer systems coupled toa network of computers.

FIG. 1 illustrates a wide area network (WAN) according to oneembodiment. WAN 102 is a network that spans a relatively largegeographical area. The Internet is an example of WAN 102. WAN 102typically includes a plurality of computer systems which areinterconnected through one or more networks. Although one particularconfiguration is shown in FIG. 1, WAN 102 may include a variety ofheterogeneous computer systems and networks which are interconnected ina variety of ways and which may run a variety of software applications.

One or more local area networks (LANs) 104 may be coupled to WAN 102. ALAN 104 is a network that spans a relatively small area. Typically, aLAN 104 is confined to a single building or a group of buildings. Eachnode (i.e., individual computer system or device) on a LAN 104preferably has its own CPU with which it executes programs, and eachnode is able to access data and devices anywhere on the LAN 104. The LAN104 thus allows many users to share devices (e.g., printers) as well asdata stored on file servers. The LAN 104 may be characterized by any ofa variety of types of topology (i.e., the geometric arrangement ofdevices on the network), of protocols (i.e., the rules and encodingspecifications for sending data, and whether the network uses apeer-to-peer or client/server architecture), and of media (e.g.,twisted-pair wire, coaxial cables, fiber optic cables, radio waves,etc.).

Each LAN 104 includes a plurality of interconnected computer systems andoptionally one or more other devices: for example, one or moreworkstations 110 a, one or more personal computers 112 a, one or moreportable computer devices (e.g., laptop or notebook computer systems114), one or more server computer systems 116, and one or more networkprinters 118. As used herein, a “server” refers to a computer programthat, during execution, provides services to other computer programsexecuting in the same or other computer systems. The computer system onwhich a server program is executing may also be referred to as a server,though it may contain a number of server and client programs. In theclient/server model, a server is a program that awaits and fulfillsrequests from client programs in the same or other computer systems. TheLAN 104 may be coupled to other computer systems and/or other devicesand/or other LANs through WAN 102.

One or more mainframe computer systems 120 may be coupled to WAN 102. Asshown, mainframe 120 may be coupled to a storage device or file server124 and mainframe terminals 122 a, 122 b, and 122 c. Mainframe terminals122 a, 122 b, and 122 c may access data stored in the storage device orfile server 124 coupled to or included in mainframe computer system 120.

WAN 102 may also include computer systems which are connected to WAN 102individually and not through a LAN 104: as illustrated, for purposes ofexample, a workstation 110 b and a personal computer 112 b. For example,WAN 102 may include computer systems which are geographically remote andconnected to each other through the Internet. As used herein, the term“network” includes a LAN 104 or a WAN 102.

FIG. 2 illustrates a typical computer system 150 which may be suitablefor implementing various portions of embodiments disclosed herein. Eachcomputer system 150 typically includes components such as a CPU 152 withan associated memory medium such as floppy disks 160. The memory mediummay store program instructions for computer programs, wherein theprogram instructions are executable by the CPU 152. The computer system150 may further include a display device such as a monitor 154, analphanumeric input device such as a keyboard 156, and a directionalinput device such as a mouse 158. Computer system 150 may be operable toexecute one or more computer programs to implement embodiments describedherein.

Computer system 150 preferably includes or is in communication with amemory medium on which computer programs according to variousembodiments may be stored. The term “memory medium” is intended toinclude an installation medium, e.g., a CD-ROM, DVD, or floppy disks160, a computer system memory such as DRAM, SRAM, EDO RAM, Rambus RAM,etc., or a non-volatile memory such as a magnetic media, e.g., a harddrive, or optical storage. The memory medium may include other types ofmemory as well, or combinations thereof. In addition, the memory mediummay be located in a first computer in which the programs are executed,or may be located in a second different computer which connects to thefirst computer over a network connection 159. In the latter instance,the second computer may provide the program instructions to the firstcomputer for execution. Computer system 150 may take various forms,including a personal computer system, a mainframe computer system, aworkstation, a network appliance, an Internet appliance, a personaldigital assistant (PDA), a television system or another device. Ingeneral, the term “computer system” may be broadly defined to encompassany device having a processor which executes instructions from a memorymedium. Additionally, a “computer system” may generally describehardware and software components that in combination may allow executionof computer programs. Computer programs may be implemented in software,hardware, or a combination of software and hardware.

In an embodiment, a network may include one or more softwareapplications that may be used by a network administrator to monitorand/or control various aspects of one or more computer systems coupledto the network. As used herein, one or more software applications thatenable a user to monitor and/or control one or more computer systems ona network may be referred to as a “network management system.” Networkmanagement systems are also known in the art by various other namesincluding: configuration management systems and enterprise managementsystems. Network management systems may include, but are not limited toapplications and application suites such as: Configuration Manageravailable from the Tivoli Software Group of IBM Corporation of Austin,Tex.; by-Control available from Bindview Corporation of Houston, Tex.;System Management Server available from Microsoft Corporation ofRedmond, Wash.; and UniCenter available from Computer AssociatesInternational, Inc. of Islandia, N.Y.

Generally, a network management system (NMS) may include one or moreapplications installed on one or more server computers. Portions of aNMS installed on one or more servers may provide an interface used by anadministrator to operate the NMS. Additionally portions of a NMSinstalled on one or more servers may provide monitoring and controlfunctions which interface with one or more agent applications(hereinafter “agents”) installed on one or more computer systems coupledto the network. As used herein an “agent” refers to an applicationinstalled on a first computer system which receives commands, executescommands on the first computer system and/or sends information regardingthe first computer system to one or more second computer systems. Forexample, the second computer system may be a server. The agent mayinteract with an application on the server computer system to providemonitoring and/or control functionality over the first computer systemto a user via the server.

In an embodiment, a NMS may interact with one or more other applicationsto provide data packets to one or more computer systems coupled to thenetwork. As used herein, a “data packet” refers to a computer file inany format. Examples of data packets may include, but are not limitedto: executable files, text files, graphics files, software patches andother data and application files. For example, a NMS may interact withone or more other applications to provide software updates and/orsoftware patches to one or more computer systems coupled to a network. Aprocess of providing software patches and/or software updates mayinclude, but is not limited to:

-   -   registration of hardware and/or software assets of one or more        computer systems;    -   auditing of one or more computer systems to discover existing        hardware and software configuration;    -   comparing discovered software against a master control list        (“MCL”) of software;    -   determining whether a software version of one or more discover        software applications is the desired version of the software        based on the MCL;    -   installing one or more software updates or software patches onto        one or more computer system; and    -   verifying that one or more software updates or software patches        where installed correctly on one or more computer systems.

As used herein, a software application or application suite whichinteracts with a NMS to provide data packets to one or more computersystems of a network may be referred to as an “update system.” Byinteracting with an existing network management system an update systemmay not require installation of any agents of its own on computersystems within the network. Thus, the update system may be installed ona server coupled to the network and utilize agents of the NMS toimplement various functions, such as those described above. Such anembodiment may save time on large networks where installing software onindividual computer systems may be cumbersome and expensive due to thedistribution of the computer systems, the number of computer systems,the variety of computer systems, the variety of operating systems and/orthe variety of network environments.

In an embodiment, an update system may be installed on a computer systemcoupled to a network. The update system may be installed on a computersystem that has access to the network management system (“NMS”). Forexample, the update system may be installed on a server used to executethe NMS. As used herein, a server computer system upon which the NMS maybe executed is referred to as a “network management system server.” Theupdate system may generate commands and send the commands to the NMS toinstall one or more data packets on one or more computer systems coupledto the network.

In an embodiment, the update system may be user configurable via a userinterface. FIG. 3 depicts an exemplary embodiment of a configurationscreen of an update system. A user interface screen of an update systemmay include a number of input and/or display elements to enable a userto provide and/or review configuration information. For example, FIG. 3depicts an embodiment of a data packet manager screen 300 of an updatesystem. Data packet manager screen 300 includes a main tool bar 302, oneor more supplemental tool bars 304, a view control tool bar 306, and oneor more interface screens 308. In an embodiment, a user may interactwith elements of tool bars 302, 304 and/or 306 to display one or moredesired interface screens 308. Tool bars may also provide otherfunctions as are well known in the art (e.g., closing the update system,providing access to a context sensitive help feature, refreshing datadisplayed in an interface screen, etc.).

In an embodiment, a user interface of an update system may provide asettings screen to allow a user to configure interfaces between portionsof the update system, interfaces between the update system and thenetwork management system and other system wide update parameters. FIG.4 depicts an exemplary embodiment of a settings screen 400 of an updatesystem. Settings screen 400 may include tabs for selecting one or moreaspects of the update system for configuration. For example, a databasesettings tab 402 may be selected (as shown in FIG. 4) to configure aninterface between the update system and one or more databases used tostore update system data. For example, one or more databases may be usedto store update system parameters, data packets and/or data packetdistribution criteria.

In an embodiment, settings screen 400 may also include a NMS tab 404 forconfiguring an interface between the update system and a networkmanagement system, as depicted in FIG. 5. NMS tab 404 may allow a userto specify a NMS that exists or will exist on the network. Specifyingthe NMS allows the update system to determine a command structure (e.g.,command syntax, etc.) used by the NMS. NMS configuration screen 600 (asdepicted in FIG. 6) may be displayed in response to selecting propertiesbutton 504. NMS configuration screen 600 may include a number of tabsfor configuring various portions of the NMS/update system interface. Theparticular configurable options displayed in NMS configuration screen600 may be determined based on the NMS specified in NMS tab 404. Forexample, a Tivoli configuration screen is depicted in FIG. 6 sinceTivoli was selected on NMS tab 404. However, if another NMS had beenspecified different configuration options may have been displayed in NMSconfiguration screen 600.

NMS configuration screen 600 may include a NMS settings tab 602. NMSsettings tab 602 may allow a user to specify directory path and nameoptions for accessing the NMS. NMS configuration screen 600 may alsoinclude a database settings tab 604 for configuring access informationregarding one or more databases utilized by the NMS. One or more tabsmay also be provided for configuring options of the NMS that may beutilized by the update system. For example, debug options tab 606 may beutilized to set debug options for the NMS to use when providing datapackets to one or more computer systems.

In an embodiment, update system settings screen 400 may include one ormore additional tabs for configuring update system options. For example,a thresholds tab 406 may be provided, as depicted in FIG. 7. Thresholdstab 406 may allow a user to configure threshold values for sending oneor more data packets to one or more computer systems coupled to thenetwork. For example, as depicted in FIG. 7, threshold values mayinclude values used to determine whether an attempt to send a number ofdata packets to a number of computer systems was successful or not. Inthe threshold tab screen depicted in FIG. 7, a success threshold hasbeen set at 80%. Thus, if 80% or more of the data packets aresuccessfully received by their intended computer systems, the updatesystem may indicate to the user that the action was successful. Suchcustomized thresholds may assist the user in determining high priorityor critical concerns. For example, a screen may be provided whichsummarizes how many computer systems on the network have received aparticular data packet. The screen may color code icons representingcomputer systems or groups of computer systems to allow the user to makea quick assessment of the deployment status of the data packet.

Other threshold values may also by be set by the user. For example, anumber of installation attempts before notification may be establishedby the user. The number of installation attempts threshold 702 maydetermine how many times the update system will try to send a datapacket to a particular computer system before alerting the user thatthere is a problem in sending the data packet. The notification may bevia an active messaging system (e.g., email, pager notification, etc.)or via a passive notification such as applying a color code to thecomputer system in reports requested by the user. Additionally, numberof installation attempts threshold 702 may be used to determine whetherother actions should be taken. For example, if a computer system has metor exceeded number of installation attempts threshold 702 the updatesystem may inhibit access to the network via the computer system.Alternately, a user of the computer system may be inhibited from loggingon to the computer system or network. For example, in an embodiment, thecomputer system may be logged off of the network. The computer systemmay not be allowed to log on to the network until the data packet hasbeen successfully installed.

An update system settings screen 400 may include one or more tabs forconfiguring update system access options. For example, a users/passwordstab 408 may be provided. Settings screen 400 may also include one ormore tabs for configuring user options of one or more tools accessiblevia the update system. For example, in an embodiment, one or morecommercially available software applications may be accessible fromwithin the update system. As depicted in FIG. 4, settings screen 400includes a HotFix Analyzer tab 410. HotFix Analyzer is a softwareapplication commercially available from Microsoft Corp. of Redmond, WA.HotFix Analyzer checks computer systems configuration informationagainst a list of security patches maintained by Microsoft. HotFixAnalyzer tab 410 may allow the user to provide configuration parametersfor accessing and executing HotFix Analyzer from within the updatesystem.

The update system may be utilized to configure options related todistributing one or more data packets to one or more computer systems. Anumber of user interface screens may be available to the user forconfiguring distribution options. A number of embodiments ofdistribution configuration screens are discussed below. The specificlayout and features illustrate ways that distribution configurationscreens may be organized.

In an embodiment, a master control list (MCL) may be associated with anupdate system. An MCL may identify data packet names, versions, versiondates and/or other identifying information regarding data packetsexpected to be encountered on computer systems coupled to the network.The MCL may further indicate whether one or more data packets areallowed or prohibited. The update system may provide an interface formaintaining the MCL, as depicted in FIG. 8. Data packet managementscreen 800 may include a number of sections for providing variousinformation regarding a data packet. For example, data packet managementscreen 800 may include an identification section 802, an installationsection 804, and/or a condition section 806.

A close up view of identification section 802 is shown in FIG. 9.Identification section 802 may allow a user to enter identifyinginformation related to a data packet such as, but not limited to: datapacket name 902, version 904, type of installation 906 (e.g., full,patch, etc.), and whether the data packet is disabled from being sent908. Additionally, identification section 802 may display the number ofcomputer systems upon which the data packet has been successfullyinstalled 910 and the number of times the update system has attempted toinstall the data packet on computer systems coupled to the network 912.A verification parameters button 914 may bring up a verificationparameters screen. The verification parameters screen may allow the userto set parameters to be used by the update system to determine whetherthe data packet already exists on a computer system. For example, theuser may define a data packet name, version and/or file path to besearched. If a data packet matching the verification parameters is foundon a computer system, then the update system will not attempt to installthe data packet identified in identification section 802. However, theupdate system may be updated to indicate that the identified data packetexists on the computer system.

FIG. 10 depicts a close up view of installation section 804.Installation section 804 may include information regarding theinstallation of the data packet on one or more computer systems. Forexample, installation information may include, but is not limited to:installation path 1002, command line parameters related to theinstallation 1004 and whether the installation requires rebooting thecomputer system after the data packet is loaded 1006. Additionally,installation section 804 may allow the user to select operating systemsthat the data packet is valid for 1008.

FIGS. 11A, 11B, 11C and 11D depict various views of condition section806 with different tabs selected. Condition section 806 may be used toconfigure conditions for the installation of the data packet on aparticular computer system or group of computer systems. Tabs 1102,1104, 1106 and 1108 allow the user to specify different types ofconditions.

FIG. 11A depicts a view of condition section 806 with file tab 1102selected. File tab 1102 may allow a user to specify one or moreconditions related to whether or not a file exists on a computer system.A file condition may be directed to any file of any file type. The usermay specify a file name in file name field 1112. A date range forcreation or modification of the file may be specified in data/timefields 1114. A size range for the file may be specified in size rangefields 1116. Condition field 1110 may allow the user to choose whetherto install the data packet on computers systems on which the specifiedfile exists or on computer system on which the specified file does notexist. If so desired, one or more additional file conditions may beadded. If additional file conditions are added, a Boolean field 1118 mayallow the user to specify whether multiple conditions must all be met orwhether only one or more conditions need to be met for the data packetto be installed on a computer system.

FIG. 11B depicts a view of a condition section 806 with an applicationtab 1104 selected. As on the file tab, the application tab may include acondition field 1120, a name field 1122 and one or more Boolean fields1124. Additionally, application tab 1104 may include a version field1126. In an embodiment, a condition specified on application tab 1104may be checked against information in an update system database ratherthan on the computer system. For example, an application condition for afirst data packet may specify that the data packet should only beinstalled on computer systems that are also assigned to receive a seconddata packet. Thus, the second data packet need not be actually presenton the computer system.

FIG. 11C depicts a view of a condition section 806 with a registry tab1106 selected. Registry tab 1106 may allow the user to specify one ormore criteria related to the content of the system registry of acomputer system. Registry tab 1106 may include a condition field 1130 aspreviously described. Additionally, a registry path field 1132 may allowthe user to define a file path to search for the system registry. Keyname field 1134, key type 1136 and key value 1138 may allow the user tospecify conditions to search for in the system registry.

FIG. 11D depicts a view of a condition section 806 with an operatingsystem tab 1108 selected. Operating system tab 1108 may allow the userto specify a condition related to an operating system version (e.g.,service pack) of a computer system. A condition field 1140 in operatingsystem tab 1108 may allow the user to specify a relationship that mustbe met for a computer system's operating system to meet the condition.For example, condition field 1140 may allow the user to specify whetherthe operating system must be greater than, less than, or equal to thedefined version in order for the computer system to meet the condition.

A data packet described on data packet management screen 800 may beadded to the master control list. Data packets already present on theMCL may also be edited in data packet management screen 800. Forexample, a data packet to be edited may be selected in a list window808. Data related to the data packet may be displayed in the sectionspreviously discussed.

In an embodiment, data packet management screen 800 may include a viewwindow 810. View window 810 may allow the user to select from severalsets of data to view. Selections available to the user in view window810 may include, but are not limited to: master control list 812, knowndata packets 814, prohibited data packets 816 and unknown data packets818. Master control list selection 812 may allow the user to view datapackets identified on the master control list. Known data packetsselection 814 may allow the user to view all known data packetsidentified on the network during a scan of the network. As used herein a“known” data packet refers to a data packet that is present on a list ofrecognized data packets available to the scanning application.Prohibited data packets selection 816 may allow a user to view datapackets on the network that are identified in a prohibited data packetslist. Unknown data packets selection 818 may allow the user to view datapackets that were detected during a scan of the network, but which donot appear on the list of recognized data packets available to thescanning application.

Known data packets selection 814, prohibited data packets selection 816and unknown data packets selection 818 may be collectively referred toas audit selections since information presented in these views isacquired by auditing (or scanning) the network. Selecting an auditselection may cause an audited data packets screen 1200 to be displayed,as depicted in FIG. 12. Audited data packets screen 1200 may include anaudit list window 1202. Audit list window 1202 may include analphabetical list of data packets falling into the selected auditselection category. If a particular data packet is selected in auditlist window 1202, a list of computer systems having the selected datapacket may be displayed as nodes in data packet window 1204.

In an embodiment, an audit selection category of a data packet may bechanged by selecting the data packet in audit list window 1202 andselecting a menu option. For example, an unknown data packet may beadded to the list of recognized data packets available to the scanningapplication. Similarly, a data packet may be added to the MCL orprohibited data packets list by selecting an appropriate menu option. Ifa version of a data packet desired to be distributed to one or morecomputer systems is identified in audit list window 1202, the datapacket may be assigned to one or more computer systems by selecting anappropriate menu option. To assign a selected data packet fordistribution to one or more computer systems, a data packet managerscreen 800 as previous discussed may be displayed. Data acquired duringthe network audit may be pre-populated into appropriate portions of theopened data packet manager screen.

In an embodiment, an icon may be associated with various types of datapackets displayed. That is, known data packets may be indicated by afirst icon, unknown data packets by a second icon, etc. Changing theaudit selection category of a data packet may cause the associated iconto be changed as well.

In an embodiment, an update system may allow computer systems coupled toa network to be assigned to management groups. For example, as depictedin FIG. 13, the update system may include a group manager screen 1300.Group manager screen 1300 may display a hierarchy of groups in ahierarchy window 1306. Additionally, a list of one or more computersystems assigned to a particular group may be displayed in a groupmembers window 1308. In some embodiments, list window 808 may also bedisplayed on group manager screen 1300. In some embodiments, a user mayalternate between a data packet management view (such as data packetmanager screen 800) and a group management view (such as group managerscreen 1300) by selecting a data packet tab 1304 or a group tab 1302.Additionally, in some embodiments, a node tab 1310 may enable a user toview information related to an individual computer system as discussedfurther below.

Using group manager screen 1300, the user may assign one or morecomputer systems to one or more groups. In an embodiment, computersystems may be assigned to groups according to criteria determined bythe user. For example, a computer system may be assigned to a groupaccording to computer system parameters such as operating system,hardware configuration, location, etc. In another example, computersystems may be assigned to groups according to arbitrary criteriadetermined by the user or in any other manner deemed appropriate by theuser to form a hierarchy of groups. Additionally, in some embodiments,subgroups may be formed within groups. Names and/or other descriptiveinformation may be assigned to each group or subgroup to assist the userin determining which computers systems are likely to be assigned to eachgroup.

In an embodiment, group manager screen 1300 may include a view window1312. View window 1312 may allow the user to arrange data displayed ingroup manager screen 1300 in a desired manner. Selections available tothe user in the group manager screen view window may include, but arenot limited to: group by nodes 1314 and group by assigned data packets1316.

A “group by nodes” view of a group manager screen is depicted in FIG.13. Expanding a group (e.g., by selecting a “+” icon associated with thegroup in hierarchy window 1306) may cause subgroups and/or nodesassigned to the group to be listed in hierarchy window 1306, as shown inFIG. 14. Selecting a group or subgroup in hierarchy window 1306 maycause group members window 1308 to change to include an associated datapackets pane 1402 and a status of node members pane 1404. Associateddata packets pane 1402 may list data packets assigned to the selectedgroup or subgroup. Status of node members pane 1404 may display theinstallation status of assigned data packets. Status of node memberspane 1404 may include information for data packets assigned to theselected group or subgroup including, but not limited to: data packetidentification information, number of attempts to install the datapacket, installation information (e.g., install time and date), whetherthe installation was successful, whether errors were reported, andwhether the installation has been verified by a subsequent networkaudit. Additionally, assigned data packets may be color coded in thedisplay to make status identification easier. For example, a data packetinstallation that is considered complete (e.g., the data packet has beeninstalled and verified) may be highlighted in blue, a data packetinstallation that is considered incomplete (e.g., the installation hasnot been verified or has not been executed) may be highlighted in gray,and a data packet installation that has met or exceeded an allowednumber of unsuccessful installation attempts (e.g., number ofinstallation attempts threshold 702) may be highlighted in orange.

FIG. 15 depicts an exemplary embodiment of a group manager screen 1500in “group by assigned data packets” view. In the “group by assigned datapackets” view, hierarchy window 1306 includes groups and subgroups asbefore. However, rather than displaying nodes associated with each groupor subgroup, hierarchy window 1306 displays a list of data packetsassigned to each group or subgroup. If a group or subgroup is selectedin hierarchy window 1306, the list of data packets window assigned tothe selected group or subgroup is displayed in assigned data packetswindow 1502. If a data packet is selected in assigned data packetswindow 1502, status of installation of the data packet on each node ofthe group or subgroup is displayed in status window 1504. Installationstatus may be displayed as previously described.

Assigned data packets window 1502 may display data packets in the orderthey are scheduled to be installed on the selected group or subgroup.Thus, the first data packet listed is the next data packet to beinstalled on the selected group or subgroup. The user may change thescheduled order by dragging and dropping or by using a pull down menuselection available by selecting a data packet. Thus, if a more urgentlyneeded data packet (e.g., a security patch) is currently scheduled last,the user may drag and drop the more urgent data packet to the firstposition, or select a change order menu option to move the more urgentdata packet forward.

In an embodiment, the user may select an assigned data packet to reviewdetails regarding the data packet. For example, FIG. 16 shows aconfiguration for group window 1602 for the data packet selected inhierarchy window 1306. Configuration for group window 1602 may includeinformation related to the data packet such as data packet name, datapacket version, location of the data packet in a memory (e.g., filepath), whether the data packet is disabled from being installed, etc.

From group manager screen 1300, the user may set various parametersassociated with groups and/or subgroups. For example, a group/subgrouppull down menu 1700, similar to the one depicted in FIG. 17, may beavailable to the user if a group or subgroup is selected. A similar pulldown menu may be available to the user upon selection of an individualnode. Options available on group/subgroup pull down menu 1700 mayinclude an option to add subgroups and/or nodes 1702, and an option todelete a group or subgroup 1716. A group or subgroup may also be enabledor disabled by selecting enable or disable options 1704. If the group orsubgroup is disabled, then no data packets may be scheduled to be sentto the group or subgroup. “Administrator message for logged off users”option 1706 may allow the user of the update system to prepare a freeform text message to be sent to a user of a computer system if thecomputer system user is forcibly logged off of the network by the updatesystem. Similarly, a reset logoff option 1708 allows a user of theupdate system to reset a parameter associated with a computer systemwhich indicates that the computer system is prohibited from logging onto the network.

Several scheduling options may also be available to the user. Forexample, the user may select group schedule and configuration option1710 to view configuration information regarding the selected group orsubgroup. Selecting group schedule and configuration option 1710 mayalso display the schedule for sending one or more data packets tocomputer systems assigned to the group or subgroup. Group schedule andconfiguration option 1710 may allow the user to specify a date rangeduring which the update system is to attempt to send data packets to theselected group or subgroup. Alternately, the user may be able to specifya frequency at which the update system will attempt to send data packetsto the selected group or subgroup. For example, the update system mayattempt to send data packets to a group or subgroup on a daily, weekly,monthly or other basis. The user may also be able to specify aparticular time within the established frequency that data packetsshould be sent. For example, data packets may be sent daily between 1a.m. and 2 a.m. In another example, data packets may be sent weekly onSunday mornings. Group schedule and configuration option 1710 may alsoallow a user to disable an update schedule configured for the group orsubgroup. This feature may be useful if the schedule needs to bebypassed temporarily, but the user does not want to configure a newschedule or loose the old schedule. Group schedule and configurationoption 1710 may also allow the user to configure options related to howusers of computers systems assigned to the selected group or subgroupperceive receiving sent data packets. For example, the update system maybe configured to send the data packets entirely in the background. Insuch a case, users of computer systems receiving data packets from theupdate system may not be notified in any way that the data packets arebeing received. Alternately, the update system may cause a window to bedisplayed on computers systems assigned to the group or subgroup tonotify users of the computer systems when data packets are beingreceived. An additional configuration options that may be available viagroup schedule and configuration option 1710 is a client debuggingoption. Turning on the client debugging option may cause a log file tobe written on computer systems assigned to the group or subgroup whenthe updated system is sending data packets to them. The log file may beuseful to assist a network administrator in identifying problems if oneor more data packets are not installed correctly onto one or morecomputer systems by the update system.

Another option that may be available on group/subgroup pull down menu1700 is a verification interval option 1712. Verification intervaloption 1712 may allow a user to set a frequency and/or time periodduring which computer systems assigned to the selected group or subgroupwill be scanned. As used herein, “scanning” a computer system refers todetermining configuration information regarding the computer system. Forexample, scanning may collect information such as, but not limited to:hardware configuration and/or software configuration. Hardwareconfiguration may include information such as type of processor,hardware assets coupled to the computer system (e.g., mouse, keyboardand/or monitor type), memory available to the computer system, etc.Software configuration may include information such as name, versionand/or version date of software applications on the computer system.Software configuration may also include information regarding data files(e.g., graphics files, text files, etc.) present on the computer system.Settings available via verification interval option 1712 may allow theuser to specify that computer systems assigned to the group or subgroupshould be scanned after the passing of a specified number of minutes,hours, days, etc. or when a user of a computer system logs in to thecomputer system.

In an embodiment, group/subgroup pull down menu 1700 may also give theuser of the update system the option to initiate a scan of computersystems assigned to the group or subgroup immediately. For example, Runhotfix analyzer for group option 1714 may immediately initiate a scan ofcomputer systems assigned to the group or subgroup using the HotFixutility available from Microsoft Corp. of Redmond, Wash.

As previously mentioned, a list of options similar to group/subgrouppull down menu 1700 may be available to the user by selecting anindividual node rather than a group or subgroup. One difference betweenthe options available for a node and the options available for a groupor subgroup may be an option to review results of scanning a computersystem. Scanning data is typically most useful on an individual computerbasis. Therefore, a scan results option may only be available in a nodepull down menu. However, in certain embodiments, a scanning program maybe used that provides information at the group or subgroup level. Insuch cases, a review scan results option may be available at thegroup/subgroup level.

Also within the group manager view, a user may select an assigned datapacket to view a pull down menu of options related to the selected datapacket. For example, in an embodiment, options available in a datapacket pull down menu may include a “force update now” option. A “forceupdate now” option may immediately initiate sending one or more selecteddata packets to computer systems assigned to one or more groups orsubgroups. The force update now option may be particularly useful forvery high priority data packets such as security patches and/or virusdefinitions for virus protection software.

As previously mentioned, a node tab 1310 may allow a user to viewinformation related to individual computer systems (i.e., nodes) coupledto a network. An embodiment of a node manager screen 1800 is depicted inFIG. 18. Node manager screen 1800 may be displayed in response toselection of node tab 1310.

Node manager screen 1800 may include a nodes window 1802 and aconfiguration window 1804, as well as one or more windows previouslydescribed (e.g., list window 808 and hierarchy window 1306). Nodeswindow 1802 may display a list of computer systems. The list of computersystems displayed may depend on one or more selections made in hierarchywindow 1306. For example, if no group or subgroup is selected inhierarchy window 1306, then nodes window may display computer systemscoupled to the network that are not assigned to any group or subgroup.However, if a group or subgroup is selected in hierarchy window 1306,then computer systems assigned to the selected group or subgroup may bedisplayed in nodes window 1802. Each node identified in nodes window1802 may be associated with an icon. The icon displayed may depend onwhether or not the associated node has been assigned to a group orsubgroup. Thus, a first icon may indicate a node that is not assigned toany group or subgroup; whereas, a second icon may indicate that a nodehas been assigned to a group or subgroup.

Configuration window 1804 may display information related to thehardware and/or software configuration of a computer system selected innodes window 1802. For example, configuration window 1804 may displayconfiguration information including, but not limited to: hardwaredevices coupled to the computer system, operating system(s) present onthe computer system and one or more data packets present on the computersystem. Configuration information may be determined based on scanningone or more computer systems as previously described. In an embodiment,configuration window 1804 may selectively display configurationinformation based on a user defined configuration. For example,configuration window 1804 may only display known data packets, unknown(e.g., unrecognized) data packets, prohibited data packets, and/orallowed (e.g., not prohibited) data packets. In yet another embodiment,configuration window 1804 may display a desired and/or expectedconfiguration of one or more computer systems. For example, a desiredconfiguration may include information regarding data packets assignedto, but not yet installed on, a computer system. Similarly, an expectedconfiguration may include information from a MCL regarding current orexpected versions of various data packets.

In an embodiment, node manager screen 1800 may allow a user to assignone or more nodes to groups or subgroups. For example, one or more nodesmay be selected. The selected node(s) may be assigned togroups/subgroups by dragging and dropping them. Alternately, a pull downmenu may allow selected nodes to be assigned to groups/subgroups. In yetanother example, a pull down menu associated with a group or subgroupmay cause an add nodes screen 1900 to be displayed as depicted in FIG.19.

In an embodiment, add nodes screen 1900 may allow the user to search fornodes meeting specified criteria. Results of the search may be displayedin a results window 1902. The user may then assign one or more computersystems identified in results window 1902 to the group or subgroup theuser selected when the add nodes screen was opened. In an embodiment,the user may select an “add all” button 1904 to assign all of thecomputer systems identified in results window 1902 to the group orsubgroup. Alternately, the user may select one or more computer systemsin results window 1902 and select an “add selected” button 1906 to addonly the selected computer systems to the group or subgroup.

In an embodiment, if a computer system that is already assigned to agroup or subgroup is selected to be assigned to another group orsubgroup, the user may be notified that the selected computer system isalready assigned to a group or subgroup. The user may then be asked toconfirm the assignment of the selected computer system to the selectedgroup or subgroup. Similarly, in an embodiment, the user may beinhibited from deleting a non-empty group or subgroup. That is onlygroups or subgroups with no subgroups or nodes assigned may be deleted.

In an embodiment, node manager screen 1800, group manager screen 1300and/or data packet management screen 800 may be used to assign a datapacket to one or more computer systems or one or more groups of computersystems. For example, a data packet may be selected in list window 808and dragged and dropped to a desired computer system in nodes window1802 or to a desired group or subgroup in hierarchy window 1306. Datapackets assigned to computer systems or groups of computer systems maybe represented in nodes window 1802 and/or hierarchy window 906 toprovide ready confirmation of data packets assigned to various computersystems and/or groups.

After assigning a data packet to at least one computer system anassigned data packets window 2002 may be added to the manager screencurrently in use (e.g., node manager screen 1800, group manager screen1300, or data packet manager screen 800). FIG. 20 depicts an embodimentof an assigned data packets window 2002. Assigned data packets window2002 may display information related to one or more data packetsassigned to a selected computer system, group or subgroup. For example,assigned data packets window 2002 may display data packet identificationinformation as was discussed previously.

In an embodiment, node manager screen 1800 may include a view window1806. View window 1806 may allow the user arrange data displayed in nodemanager screen 1800 in a desired manner. Selections available to theuser in the node manager view window may include, but are not limitedto: all nodes view 1808, groupless nodes view 1810, and disabled nodesview 1812. As the name implies, all nodes view 1808 may cause all nodes(i.e., computer systems) of the network to be listed regardless of thestatus of the node. Groupless nodes view 1810 may cause only nodes thatare not assigned to any group or subgroup to be listed. Disabled nodesview 1812 may cause nodes that have been disabled to be listed.

Other view options may be available to the user in node manager screen1800. For example, window selection buttons 1814, 1816, 1818 and 1820 atthe bottom of node manager screen 1800 may enable the user to change thewindows presented in node manager screen 1800. All windows selection1820 may present all of the windows previous described in the nodemanager screen 1800 as depicted in FIG. 18. In an embodiment the allwindows configuration may be the default way that node manager screen1800 is displayed. Nodes only selection 1814 may limit the windowspresented to nodes window 1802 and configuration window 1804. The nodesonly view may allow more information about the nodes or a particularnode to be displayed at one time. Nodes and groups selection 1816 maylimit the windows presented to hierarchy window 1306, nodes window 1802and configuration window 1804. Similarly, nodes and data packetsselection 1818 may limit the windows displayed to list window 808, nodeswindow 1802 and configuration window 1804.

In an embodiment, an update system may provide one or more reports tothe user regarding update system activities and/or status. Reportsprovided via the update system may include color coding of statusinformation as previously described regarding FIGS. 7 and 14. Reportsavailable via the update system may include reports such as thosedepicted in FIGS. 21A though 21L. FIG. 21A depicts an example of anExecutive Summary report. FIG. 21B depicts an example of an overviewreport of status and activities for an entire network. FIG. 21 C depictsan example of an overview report of status and activities related to agroup. FIG. 21D depicts an example of a report of status and activitiesrelated to nodes in a group. FIG. 21E depicts an example of a report ofstatus and activities related to data packets assigned to a group. FIG.21F depicts an example of an overview report of status and activitiesrelated to particular data packets. FIG. 21G depicts an example of adata packet installation history report. FIG. 21H depicts an example ofa data packet detail report. FIG. 211 depicts an example of a detailedreport of status and activities related to one or more nodes. FIG. 21Jdepicts an example of a report summarizing software applicationsidentified on a network. FIG. 21K depicts an example of a report listinginstallation history of the update system by node. FIG. 21L depicts anexample of a report summarizing status and activities related to anumber of groups.

Various embodiments further include receiving or storing instructionsand/or data implemented in accordance with the description herein upon acarrier medium. Suitable carrier media include memory media or storagemedia such as magnetic or optical media, e.g., disk or CD-ROM, as wellas transmission media or signals such as electrical, electromagnetic, ordigital signals, conveyed via a communication medium such as networksand/or a wireless link.

Although the systems and methods of the present invention have beendescribed in connection with several embodiments, the invention is notintended to be limited to the specific forms set forth herein, but onthe contrary, it is intended to cover such alternatives, modifications,and equivalents as can be reasonably included within the spirit andscope of the invention as defined by the appended claims.

1. An update system comprising: a network interface configured to:receive, from a server, client configuration information associated witha plurality of client computer systems, wherein the client configurationinformation is determined based on scanning, by one or more scanningagents, at least some of the plurality of client computer systems; andcommunicate a message to the server; a memory configured to store: alist of data packet entries, each data packet entry comprising: firstinformation identifying a data packet; second information indicatingwhich client computer systems of the plurality of client computersystems should have the data packet installed; and one or moreconditions for installation of the data packet; the client configurationinformation; and a processor configured to: select the data packet toinstall on a client computer system of the plurality of client computersystems based on a comparison of the client configuration information tothe second information, wherein the comparison provides an indicationthat the data packet is transmissible to the client computer system;determine that the client computer system of the plurality of clientcomputer systems meets the one or more conditions associated with thedata packet based on the client configuration information; generate themessage in response to the determination that the client computer systemmeets the one or more conditions, the message comprising a commandrequesting the server to communicate the data packet to an agentapplication installed on the client computer system; and verify that thedata packet was successfully installed on the client computer system. 2.The update system of claim 1, wherein the processor is furtherconfigured to: determine an installation status of the data packet ontwo or more client computer systems of the plurality of client computersystems; and generate a view for display to a user, the view providing agraphical representation of the installation status.
 3. The updatesystem of claim 1, wherein: the data packet comprises a software patchassociated with a client software program; and the client configurationinformation comprises information indicating whether the software patchis installed on one or more client computer systems of the plurality ofclient computer systems.
 4. The update system of claim 1, wherein theone or more conditions comprise one or more of the following: acondition that a client software program is installed on the clientcomputer system; a condition that the client software program is notinstalled on the client computer system; a condition that a version ofan operating system is installed on the client computer system; and acondition associated with content of a system registry of the clientcomputer system.
 5. The update system of claim 1, wherein: the memory isfurther configured to store group data associating one or more clientcomputer systems of the plurality of client computer systems with agroup; and the processor is further configured to: assign the one ormore client computer systems to the group based on one or more portionsof the client configuration information; and generate a view for displayto a user, the view providing a graphical depiction of the one or moreclient computer systems assigned to the group.
 6. The update system ofclaim 5, wherein: the network interface is further configured to receiveuser input selecting a subset of the plurality of client computersystems; and the processor is further configured to assign the one ormore client computer systems to the group based on the user input. 7.The update system of claim 1, wherein the server comprises a computerprogram executed by the processor of the update system.
 8. The updatesystem of claim 1, wherein the server comprises a computer programexecuted by another processor of a computer system remote from theupdate system.
 9. The update system of claim 1, wherein: the memory isfurther configured to store the data packet; and the message furthercomprises the data packet.
 10. The update system of claim 1, wherein theprocessor is further configured to: identify one or more prohibited datapackets present on the client computer system based on comparing theconfiguration information to the list; and generate a view for displayto a user, the view depicting the one or more prohibited data packets.11. The update system of claim 1, wherein the client configurationinformation comprises: hardware information identifying one or morehardware components of the client computer system; data packetinformation indicating whether the data packet is installed on theclient computer system; and operating system information indicating aversion of an operating system installed on the client computer system.12. A non-transitory computer-readable medium comprising logic that,when executed by a processor, is operable to: access clientconfiguration information comprising: hardware information identifyingone or more hardware components of a client computer system; data packetinformation indicating whether the data packet is installed on theclient computer system; and operating system information indicating aversion of an operating system installed on the client computer system;access a control list comprising a plurality of data packet entries,each data packet entry comprising: a data packet identifier; and one ormore conditions associated with a data packet; determine that the clientcomputer system meets the one or more conditions associated with thedata packet based on the client configuration information, wherein theclient configuration information is determined based on scanning, by oneor more scanning agents, at least the client computer system; installthe data packet on the client computer system in response to anindication that the data packet is transmissible to the client computersystem and in response to the determination that the client computersystem meets the one or more conditions associated with the data packet;and verify that the data packet was successfully installed on the clientcomputer system.
 13. The medium of claim 12, wherein the data packetcomprises a software patch associated with a client software programinstalled on the client computer system.
 14. The medium of claim 12,wherein installation of the data packet on the client computer system istriggered by a command from a server remote from the client computersystem.
 15. The medium of claim 12, wherein the one or more conditionscomprise one or more of the following: a condition that a clientsoftware program is installed on the client computer system; a conditionthat the client software program is not installed on the client computersystem; a condition that a version of an operating system is installedon the client computer system; and a condition associated with contentof a system registry of the client computer system.
 16. The medium ofclaim 12, wherein the client computer system is assigned to a groupbased on the client configuration information.
 17. The medium of claim12, wherein the client computer system is assigned to a group based oninput from a user.
 18. The medium of claim 12, wherein the logic, whenexecuted by the processor, is further operable to determine the clientconfiguration information at a plurality of scheduled times.
 19. Themedium of claim 12, wherein the logic, when executed by the processor,is further operable to determine audit information associated with theclient computer system, the audit information comprising informationidentifying one or more unknown data packets on the client computersystem.
 20. The medium of claim 12, wherein the logic, when executed bythe processor, is further operable to determine audit informationassociated with the client computer system, the audit informationcomprising information identifying one or more prohibited data packetson the client computer system.
 21. An update system comprising: anetwork interface configured to: receive, from a server, clientconfiguration information associated with a plurality of client computersystems, wherein the client configuration information is determinedbased on scanning, by one or more scanning agents, at least some of theplurality of client computer systems; receive input from a user; andcommunicate a message to the server; a memory configured to store: theclient configuration information; and a list of software patch entries,each software patch entry associated with a software patch andcomprising: first information identifying the software patch; and secondinformation identifying which client computer systems of the pluralityof client computer systems should have the software patch installed; anda processor configured to: identify one or more software patches to beinstalled on one or more client computer systems of the plurality ofclient computer systems based on the client configuration informationand the list of software patch entries and based on an indication thatthe one or more software patches are transmissible to the one or moreclient computer systems; generate a first view for display to the user,the first view identifying the one or more software patches; process theinput from the user, the input requesting installation of the one ormore software patches; generate the message in response to the input,the message comprising a command requesting the server to communicatethe one or more software patches to an agent application installed oneach of the one or more client computer systems; determine aninstallation status of the one or more software patches on the one ormore client computer systems; and generate a second view for display tothe user, the second view providing a graphical representation of theinstallation status.